ANNEX V 



THE SECRETARY OF TRANSPORTATION 

WASHINGTON, DC 20590 
February 19, 2016 


Commissioner Vèra Jourova 
European Commission 
Rue de la Loi / Wetstraat 200 
1049 1049 Brussels 
Belgium 

Re: EU-U.S. Privacy Shield Framework 


Dear Commissioner Jourova: 

The United States Department of Transportation (“Department” or “DOT”) appreciates the 
opportunity to describe its role in enforcing the EU-U.S. Privacy Shield Framework. This 
Framework plays a critical role in protecting personal data provided during commercial 
transactions in an increasingly interconnected world. It enables businesses to conduct important 
operations in the global economy, while at the same time ensuring that EU consumers retain 
important privacy protections. 

The DOT first publicly expressed its commitment to enforcement of the Safe Harbor Framework 
in a letter sent to the European Commission over 15 years ago. The DOT pledged to vigorously 
enforce the Safe Harbor Privacy Principles in that letter. The DOT continues to uphold this 
commitment and this letter memorializes that commitment. 

Notably, the DOT renews its commitment in the follovving key areas: (1) prioritization of 
investigation of alleged Privacy Shield violations; (2) appropriate enforcement action against 
entities making false or deceptive Privacy Shield certification claims; and (3) monitoring and 
makiog public enforcement orders concerning Privacy Shield violations. We provide 
information about each of these commitments and, for necessary context, pertinent background 
about the DOT’s role in protecting consumer privacy and enforcing the Privacy Shield 
Framework. 

I. Background 

A. DOT's Privacy Authoritv 

The Department is strongly committed to ensuring the privacy of information provided by 
consumers to airlines and ticket agents. The DOT's authority to take action in this area is found 
in 49 U.S.C. 41712, which prohibits a carrier or ticket agent from engaging in “an unfair or 
deceptive practice or an unfair method of competition” in the sale of air transportation that 
results or is likely to result in consumer harm. Section 41712 is patterned after Section 5 of the 
Federal Trade Commission (FTC) Act (15 U.S.C. 45). We interpret our unfair or deceptive 
practice statute as prohibiting an airline or ticket agent from: (1) violating the terms of its 
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privacy policy; or (2) gathering or disclosing private information in a way that violates public 
policy, is immoral, or causes substantial consumer injury not offset by any countervailing 
benefits. We also interpret section 41712 as prohibiting carriers and ticket agents from: (1) 
violating any rule issued by the Department that identifïes specific privacy practices as unfair or 
deceptive; or (2) violating the Chüdren’s Online Privacy Protection Act (COPPA) or FTC rules 
implementing COPPA. Under federal law, the DOT has exclusive authority to reguiate the 
privacy practices of airlines, and it shares jurisdiction with the FTC with respect to the privacy 
practices of ticket agents in the sale of air transportation. 

As such, once a carrier or seller of air transportation publicly conimits to the Privacy Shield 
Framework’s privacy principles the Department is able to use the statutory powers of section 
41712 to ensure compliance with those principles. Therefore, once a passenger provides 
information to a carrier or ticket agent that has committed to honoring the Privacy Shield 
Framework’s privacy principles, any failure to do so by the carrier or ticket agent would be a 
violation of section 41712. 

B. Enforcement Practices 

The Department’s Office of Aviation Enforcement and Proceedings (Aviation Enforcement 
Office) investigates and prosecutes cases under 49 U.S.C. 41712. It enforces the statutory 
prohibition in section 41712 against unfair and deceptive practices primarily through negotiation, 
preparing cease and desist orders, and drafting orders assessing civil penalties. The office ieams 
of potential violations largely from complaints it receives from individuals, travel agents, 
airlines, and U.S. and foreign govemment agencies. Consumers may use the DOT’s website to 
file privacy complaints against airlines and ticket agents. 1 

If a reasonable and appropriate settlement in a case is not reached, the Aviation Enforcement 
Office has the authority to institute an enforcement proceeding involving an evidentiary hearing 
before a DOT administrative law judge (ALJ). The ALJ has the authority to issue cease-and- 
desist orders and civil penalties. Violations of section 41712 can result in the issuance of cease 
and desist orders and the imposition of civil penalties of up to $27,500 for each violation of 
section 41712. 

The Department does not have the authority to award damages or provide pecuniary relief to 
individual complainants. However, the Department does have the authority to approve 
settlements resulting from investigations brought by its Aviation Enforcement Office that 
directly benefit consumers (e.g.. cash, vouchers) as an offset to monetary penalties otherwise 
payable to the U.S. Govemment. This has occurred in the past, and may also occur in the 
context of the Privacy Shield Framework principles when circumstances warrant. Repeated 
violations of section 41712 by an airline would also raise questions regarding the airline’s 
compliance disposition which could, in egregious situations, result in an airline being found to be 
no longer fit to operate and, therefore, losing its economie operating authority. 


1 http://www.transportation.gov/airconsumer/privacy-complaints. 



3 


1 o date, the DOT has received relatively few complaints involving alleged privacy violations by 
ticket agents or airlines. When they arise, they are investigated according to the principles set 
forth above. 

C. DOT Legal Protections Benefiting EU Consumers 

Under section 41712, the prohibition on unfair or deceptive practices in air transportation or 
the sale of air transportation applies to U.S. and foreign air carriers as well as ticket agents. The 
DOT frequently takes action against U.S. and foreign airlines for practices that affect both 
foreign and U.S. consumers on the basis that the airline’s practices took place in the course of 
providing transportation to or from the United States. The DOT does and will continue to use all 
remedies that are available to protect both foreign and U.S. consumers from unfair or deceptive 
practices in air transportation by regulated entities. 

The DOT also enforces, with respect to airlines, other targeted laws whose protections extend 
to non-U.S. consumers such as COPPA. Among other things, COPPA requires that operators of 
child-directed websites and online services, or general audience sites that knowingly collect 
personal information from children under 13 provide parental notice and obtain verifiable 
parental consent. U.S.-based websites and services that are subject to COPPA and collect 
personal information from foreign children are required to compiy with COPPA. Foreign-based 
websites and online services must also compiy with COPPA if they are directed to children in the 
United States, or if they knowingly collect personal information from children in the United 
States. To the extent that U.S. or foreign airlines doing business in the United States violate 
COPPA, the DOT would have jurisdiction to take enforcement action. 

II. Privacy Shield Enforcement 

If an airline or ticket agent chooses to participate in the Privacy Shield Framework and the 
Department receives a complaint that such an airline or ticket agent had allegedly violated the 
Framework, the Department would take the following steps to vigorously enforce the 
Framework. 

A. Prioritizing Investigation of Alleged Violations 

The Department’s Aviation Enforcement Office will investigate each complaint alieging Privacy 
Shield violations (including complaints received from EU Data Protection Authorities) and take 
enforcement action where there is evidence of a violation. Furthcr, the Aviation Enforcement 
Office will cooperate with the FTC and Department of Commerce and give priority 
consideration to allegations that the regulated entities are not complying with privacy 
commitments made as part of the Privacy Shield Framework. 

Upon receipt of an allegation of a violation of the Privacy Shield Framework, the Department’s 
Aviation Enforcement Office may take a range of actions as part of its investigation. For 
example, it may review the ticket agent or airline’s privacy policies, obtain further information 
from the ticket agent or airline or from third parties, follow up with the referring entity, and 
assess whether there is a pattem of violations or significant number of consumers affected. In 



addition, it would determine whether the issue impltcates matters within the purview of the 
Department of Commerce or FTC, assess whether consumer education and business education 
would be helpful, and as appropriate, initiate an enforcement proceeding. 

If the Department becomes aware of potential Privacy Shield violations by ticket agents, it will 
coordinate with the FTC on the matter. We will also advise the FTC and the Department of 
Commerce of the outcome of any Privacy Shield enforcement action. 

B. Addressine False or Deceotive Membership Claims 

The Department remains committed to investigating Privacy Shield violations, including false or 
deceptive claims of membership in the Privacy Shield Program. We will give priority 
consideration to referrals from the Department of Commerce regarding organizations that it 
identiftes as improperly holding themselves out to be current members of Privacy Shield or using 
the Privacy Shield Framework certification mark without authorization. 

In addition, we note that if an organization's privacy policy promises that it complies with the 
substantive Privacy Shield principles, its failure to make or maintain a registration with the 
Department of Commerce likely will nol, by itself, excuse the organization from DOT 
enforcement of those commitments. 

C. Monitoring and Making Public Enforcement Orders Conceming Privacy Shield 
Violations 

The Department’s Aviation Enforcement Office also remains committed to monitoring 
enforcement orders as needed to ensure compliance with the Privacy Shield program. 
Specifically, if the office issues an order directing an airline or ticket agent to cease and desist 
from future violations of Privacy Shield and section 41712, it will monitor the entity's 
compliance with the cease-and-desist provision in the order. In addition, the office will ensure 
that orders resuhing from Privacy Shield cases are available on its website. 

We look forward to our continued work with our federal partners and EU stakeholders on 
Privacy Shield matters. 

I hope that this information proves helpful. If you have any questions or need further 
information, please feel free to contact me. 



Secretary of Transportation 




